The transmission of a secret message implicates two distinct issues or processes: (1) authentication and (2) encryption.
Authentication pertains to proving the origin or source of a message. The goal of this process is to provide assurance, for example, that the message originated from a particular trusted source, or that the user of a restricted-use device is an authorized user. Encryption seeks to hide the information content of a message so that even if an unintended recipient acquires the message, the information it contains will remain unknown.
This disclosure pertains to the authentication process; that is, how to decide if an entity is who it claims to be. This issue has existed for thousands of years and is not likely to disappear soon. This issue, if anything, has assumed increased significance in recent years with the proliferation of wireless telecommunications and portable electronic devices.
Consider, for example, the harm that can result when a computer is lost or stolen. Access is provided to sensitive information of the device owner, such as credit card numbers, phone numbers and addresses, potentially exposing the owner to identity theft. Business competitors might obtain information from the computer that gives them a competitive advantage. If information contained on the stolen computer pertains to a third-party, such as the patient of a medical professional, or the client of an attorney or a financial representative, the third party's medical, legal, or financial information is at risk. In addition to damaging the third party, this could subject the professional who lost the computer to penalties or censure, not to mention a loss of client goodwill and undermined client confidence.
The authentication problem is typically addressed via one of two well-known approaches: (1) authentication based on the possession of certain “knowledge” or (2) authentication based on human physical characteristics or “biometrics.”
Knowledge-based authentication relies on the possession of a password. Although the prototypical “Open Sesame” has given way to the now ubiquitous “PIN” or multi-digit personal identification number, the concept remains the same. The primary advantage of using passwords for authentication is that it simplifies the processing systems required for the authentication process and reduces the manufacturing costs of a protected device or system.
The main disadvantage of using a password is that the user of a password must be security conscious. For example, users who are not accustomed to using a password tend to choose easy-to-remember strings of characters or digits as passwords, such as a family member's name or birth date, a home telephone number, a pet's name, etc. These can be readily deduced by one so inclined with only a modicum of resourcefulness. Furthermore, passwords can easily be stolen, such as when they are “shoulder surfed” by someone watching from a nearby location as a user enters their password into a key pad.
The biometric-based authentication process utilizes characteristics of the human body that are unique to a user. The earliest form of biometric-based authentication, which is still used regularly, is based on physical appearance. “That person looks like John; therefore, that person must be John.” Most of us have shown a “photo id” to an agent to gain access to plane, to take an exam, or the like.
It has proven to be quite challenging, however, to implement a computerized facial-pattern-recognition system, as is required when a human interrogator is not present during the authentication process. As a consequence, biometric-authentication devices that qualify a candidate based on characteristics that are more amenable to electronic evaluation have been developed. Examples of biometric characteristics that are now being used for authentication include fingerprints, voice characteristics, iris patterns, retina patterns, blood-vessel patterns, hand shapes, and signature dynamics.
Biometric-based authentication avoids some of the problems endemic to password-based authentication. In particular, it avoids the necessity of memorizing passwords and it cannot be surmised by third parties. Furthermore, biometric information is difficult to counterfeit. That is, even if a user is watched as he is undergoing biometric verification, it is exceedingly difficult to fake qualifying biometric information.
For these reasons, biometric authentication is highly reliable. Unfortunately, specialized equipment (e.g., fingerprint scanners, retinal scanners, etc.) is required to read the user's biological characteristics. This adds size, complexity, and cost to device that incorporates biometric authentication.
As a consequence, a different approach to authentication that provides the reliability of biometrics, but at the lower cost of a knowledge-based approach, would be of great benefit to many industries and users.